CN107819585B - SM9 digital signature collaborative generation method and system - Google Patents
SM9 digital signature collaborative generation method and system Download PDFInfo
- Publication number
- CN107819585B CN107819585B CN201711147604.9A CN201711147604A CN107819585B CN 107819585 B CN107819585 B CN 107819585B CN 201711147604 A CN201711147604 A CN 201711147604A CN 107819585 B CN107819585 B CN 107819585B
- Authority
- CN
- China
- Prior art keywords
- devices
- digital signature
- generation method
- calculating
- secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
Abstract
The invention relates to a collaborative generation method of SM9 digital signatures, which comprises the following steps: m devices each having an integer secret ciI is 1, …, m is more than or equal to 2; precomputation of PA=[(c1c2…cm)‑1]dA,gc=g^((c1c2…cm)‑1),dAIs the user's private key, g ═ e (P)1,Ppub) And ^ represents power operation; when required dAWhen digitally signing a message M, the device 1 optionally selects the integer r1Calculate g1=gc^r1(ii) a Devices i, i ═ 2, …, m, in turn optionally integers riCalculate gi=(gi‑1^ci)(gc^ri) (ii) a Means m for calculating H ═ H2(M||gmN); device 1 calculates S1=[(r1‑c1h)]PA(ii) a The device i, i equals 2, …, m, which in turn calculates Si=[ci]Si‑1+[ri]PA;(h,Sm) I.e. the generated digital signature.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a collaborative generation method and a collaborative generation system for SM9 digital signatures.
Background
SM9 is an identification cryptographic algorithm issued by the national crypto authority based on bilinear mapping (pairing operation), wherein the bilinear mapping (pairing operation) is:
e:G1×G2→GTin which G is1、G2Is an additive cyclic group, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (note: in the SM9 specification, G1、G2、GTThe order of (A) is given by the capital letter N, and the present application uses the lower case N), i.e. if P, Q, R are each G1、G2In (b), e (P, Q) is GTAnd:
e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),
e(aP,bQ)=e(P,Q)ab。
the SM 9-based algorithm can realize identification-based digital signature, key exchange and data encryption, but the common secret sharing-based digital signature method is not suitable for the SM9 algorithm. The digital signature based on secret sharing is to divide a user private key or a secret related to the user private key into a plurality of shares (each of which is referred to as a secret share), store the shares in a plurality of devices, and when a message needs to be signed by using the user private key, obtain a final digital signature by performing a cooperative calculation using the secret shares of the devices storing the secret shares.
Disclosure of Invention
The invention aims to provide a collaborative generation method and a collaborative generation system suitable for SM9 digital signatures.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises an SM9 digital signature collaborative generation method and system.
In the following description of the present invention, if P, Q is addition group G1、G2Where P + Q represents the addition of P, Q to the addition group, P-Q represents the inverse of P plus Q (addition inverse), and k]P represents the addition of k P's to the addition group, i.e., P +. + P (k total P) (if k is a negative number, the addition inverse of the result of the | k | P additions);
an ellipsis ". -" represents a plurality of identical (types of) data items or a plurality of identical operations;
if a, b are multiplicative groups GTWhere ab or a.b represents a, b in the multiplicative group GTMultiplication of (a, ". may be omitted, as long as it does not produce ambiguity), a-1Indicates that a is an inverse of a (multiplicative inverse) in a multiplicative group, atIndicates t a are in multiplicative group GTUp-multiplication (t is a negative number, and is the inverse of | t | the multiplication result of a), i.e. exponentiation, atIs a ^ t;
if c is an integer, then c-1Representing the modulo n inverse of integer c (i.e., cc)-1mod n ═ 1); unless otherwise specified, the integers of the invention are multiplied and inversed with respect to the group G1、G2、GTThe modulo n multiplication inverse of order n;
multiple integer multiplications (including integer-symbol multiplications, constant-integer-symbol multiplications), omitting the multiplication "·" as k, without ambiguity1·k2Simplified as k1k23 · c, reduced to 3 c;
mod n denotes the modulo n operation (modulo operation), corresponding to modN in the SM9 specification; also, the operator mod n of the modulo n operation is of lowest priority, e.g., a + b mod n equals (a + b) mod n, a-b mod n equals (a-b) mod n, ab mod n equals (ab) mod n.
The SM9 digital signature collaborative generation method comprises two schemes, which are specifically as follows.
Scheme I,
The scheme I of the SM9 digital signature collaborative generation method relates to m devices, wherein m is more than or equal to 2;
the m devices are respectively numbered from No. 1 to No. m;
m devices respectively store [1, n-1 ]]Integer secret c within interval1,c2,…,cmWhere n is group G in the SM9 cryptographic algorithm1、G2、GTOrder of (is prime), ciIs a secret held by device number i, i-1, …, m;
pre-calculated in the initialization phase to obtain:
PA=[(c1c2…cm)-1]dA,
gc=g^((c1c2…cm)-1),
wherein d isAIs the identity ID of the userAThe corresponding SM9 identifies the private key (d)AIs a group G1Meta in (b), (c)1c2…cm)-1Is (c)1c2…cm) Modulo n multiplication inverse (i.e., (c)1c2…cm) mod n, inverse of the modulo n multiplication), g ═ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
when it is desired to use the user's SM9 to identify the private key dAWhen digitally signing a message M, M devices generate digital signatures as follows (the user's SM9 identification private key d needs to be usedAThe body that digitally signs for message M may be a cryptographic application, system or cryptographic module that invokes the M devices, or a cryptographic application, system in one of the M devices):
device No. 1 is in [1, n-1 ]]Randomly selecting an integer r in the interval1Calculate g1=gc^r1Or g1=gc^(c1r1);
Device No. 1 will g1To the next device, device No. 2;
the device No. i receives gi-1Then i is 2, …, m is [1, n-1 ]]Randomly selecting an integer r in the intervaliCalculate gi=(gi-1^ci)(gc^ri) Or gi=(gi-1(gc^ri))^ci;
If i ═ m, go to calculation h, otherwise, device No. i will calculate giTransmitting to the next device, i +1 device, until m device finishes gmCalculating (1);
(each apparatus calculates giThe calculation formulas are independent and not necessarily identical
Device m takes w ═ gm;
One of the m devices (typically device No. 1 or m):
calculating H as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | w represents that w is converted into a string and then merged with the string of M, and n is group G in SM9 cryptographic algorithm1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, and if w is equal to g ^ h, re-performing g1,…,gmUntil w is not equal to g ^ h;
thereafter, device No. 1 calculates S as follows1:
If device number 1 has previously calculated g1The formula adopted is g1=gc^r1And then:
S1=[r1-c1h]PA;
if device number 1 has previously calculated g1The formula adopted is g1=gc^(c1r1) And then:
S1=[c1r1-c1h]PA;
(at this time, r1And calculating g1R of (1)1Same)
Device No. 1 will S1Sending the data to the next device, namely the No. 2 device;
the device No. i receives Si-1Then, i is 2, …, m, S is calculated as followsi:
If the device I calculates g beforeiThe formula adopted is gi=(gi-1^ci)(gc^ri) And then:
Si=[ci]Si-1+[ri]PA;
if the device I calculates g beforeiThe formula adopted is gi=(gi-1(gc^ri))^ciAnd then:
Si=[ci](Si-1+[ri]PA);
(at this time, riAnd calculating giR of (1)iSame)
If i is m, then S is Sm(h, S) is the generated digital signature for the message M, otherwise, the device No. i sends SiTransmitting to the next device, i +1 device, until m device finishes SmAnd (4) calculating.
For the above scheme one, in the initialization phase, m devices obtain the secret c1,…,cmAnd calculating to obtain PA、gcOne way of (2) is as follows:
knowing d beforehandAThe device (which may be one of the m devices or one device other than the m devices) is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd calculating:
PA=[(c1c2…cm)-1]dA,gc=g^((c1c2…cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo No. i deviceI-1, …, m (including perhaps itself).
For the above scheme one, if dAIs known in advance by device No. 1, m devices obtain the secret c during the initialization phase1,…,cmAnd calculating to obtain PA、gcAnother way of doing so is as follows:
device No. 1 is in [1, n-1 ]]Randomly selecting an integer c in the interval1Or in [1, n-1 ]]Fixedly selecting an integer c unknown to other devices in the interval1(i.e. for different d)AFixed selection c1Value of) calculating Q1=[(c1)-1]dA,u1=g^((c1)-1) Wherein g ═ e (P)1,Ppub) Then Q is added1、u1Sending the data to the next device, namely the No. 2 device;
device i receives Qi-1、ui-1Then i is 2, …, m is [1, n-1 ]]Randomly selecting an integer c in the intervaliOr in [1, n-1 ]]Fixedly selecting an integer c unknown to other devices in the intervali(i.e. for different d)AFixed selection ciValue of) calculating Qi=[(ci)-1]Qi-1,ui=ui-1^((ci)-1);
If i is m, then P is takenA=Qm,gc=umOtherwise, the device No. i will send to the next device, i +1, until Q is completedm、umCalculating;
finally, device number m will PA、gcTo other m-1 devices, device No. 1 distributes dAAnd (4) destroying.
In fact, P is calculatedA、gcThe order of the devices in (1) is not important; if device i knows d beforehandASimilar transfer mode calculations may be used.
For the above scheme one, if the user's SM9 identifies the private key dAWhile for data decryption, e (d) needs to be calculated during data decryptionAV) at whichV is a group G2E (d) in the following mannerAV) cooperative calculation:
device number 1 calculates v1=e(PA,V)^c1V is to be1Sending the data to the next device, namely the No. 2 device;
device number i receives vi-1Then, i is 2, …, m, calculate vi=vi-1^ci;
If i is m, then vmIs e (d)AV), otherwise, device No. i will ViAnd sending to the next device, i +1 th device, until i equals m.
Scheme II,
The second scheme of the SM9 digital signature collaborative generation method of the invention also relates to m devices, wherein m is more than or equal to 2;
the m devices are respectively numbered from No. 1 to No. m;
m devices each have [1, n-1 ] stored or derived from the stored secret]Integer secret c within interval1,c2,…,cmWherein n is group G in SM9 cryptographic algorithm1、G2、GTOrder of (is prime), ciIs a secret held by or derived from device number i, i is 1, …, m, and (c)1+c2+…+cm)mod n≠0;
Pre-calculated in the initialization phase to obtain:
PA=[(c1+c2+…+cm)-1]dA,
gc=g^((c1+c2+…+cm)-1),
wherein d isAIs the identity ID of the userAThe corresponding SM9 identifies the private key (d)AIs a group G1Meta in (b), (c)1+c2+…+cm)-1Is (c)1+c2+…+cm) Modulo n multiplication inverse (i.e., (c)1+c2+…+cm) mod n, inverse of the modulo n multiplication), g ═ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is the master private or master key, see SM9 specification);
when it is desired to use the user's SM9 to identify the private key dAWhen digitally signing a message M, M devices generate digital signatures as follows (the user's SM9 identification private key d needs to be usedAThe body that digitally signs for message M may be a cryptographic application, system or cryptographic module that invokes the M devices, or a cryptographic application, system in one of the M devices):
device number i in [1, n-1 ]]Randomly selecting an integer r in the intervaliCalculate gi=gc^ri,i=1,…,m;
One (any of) m devices:
calculating w ═ g1g2…gm,h=H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | w represents that w is converted into a string and then merged with the string of M, and n is group G in SM9 cryptographic algorithm1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, and if w is equal to g ^ h, re-performing g1,…,gmUntil w is not equal to g ^ h;
thereafter, the i-th device calculates Si=[(ri-cih)]PA,i=1,…,m;
(at this time, riAnd calculating giR of (1)iSame)
Then, one of the m devices calculates S ═ S1+S2+…+Sm;
Then (h, S) is the generated digital signature for message M.
For scheme two above, in the initialization phase, m devices obtain the secret c1,…,cmAnd calculating to obtain PA、gcOne way of (2) is as follows:
knowing d beforehandACan be m pieces of clothesOne device in or out of m devices) is in [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd so that (c)1+c2+…+cm) mod n ≠ 0, calculates:
PA=[(c1+c2+…+cm)-1]dA,gc=g^((c1+c2+…+cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo device number i, i 1, …, m (perhaps including itself).
For the second scheme, if the user's SM9 identifies the private key dAWhile for data decryption, e (d) needs to be calculated during data decryptionAV) where V is a group G2E (d) in the following mannerAV) cooperative calculation:
device number i calculates vi=e(PA,V)^ci,i=2,…,m;
One device calculates v ═ v1v2…vmThen v ═ e (d)A,V)。
The second modification,
A variation of the second scheme for the SM9 digital signature collaborative generation method is as follows:
in the initialization phase, d is known in advanceAThe device (which may be one of the m devices or one device other than the m devices) is in [1, n-1 ]]Randomly selecting an integer c and m integers b in the interval1,b2,…,bmAnd such that (b)1+b2+…+bm) mod n is 1, calculate:
PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub);
di=[bi]dA,i=1,…,m;
Then d isA,c,b1,…,bmDestroying PA、gc、diTo device No. i, i 1, …, m (perhaps including itself);
when the user's SM9 identification private key d needs to be generatedAFor the digital signature of the message M, M devices, the i-th device calculate S as followsi:
Si=[ri]PA+[-h]di,i=1,…,m;
Other calculations and operations are unchanged, including the way of calculating the collaborative calculation w and calculating h and S is unchanged.
A threshold scheme,
On the basis of the second scheme, an SM9 digital signature threshold generation method can be obtained, wherein the SM9 digital signature threshold generation method comprises k devices, the k devices carry out the collaborative generation of digital signatures in a (m, k) threshold secret sharing mode, and k > m is more than or equal to 2;
in the initialization phase, d is known in advanceAIn [1, n-1 ] (one of the k devices or one device other than the k devices)]Randomly selecting an integer c in the interval, dividing c into k secret shares according to a threshold secret sharing mode, and calculating PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub) Then d isADestroying PA、gcAnd k threshold secret shares are distributed to k devices (possibly including themselves) respectively;
when a digital signature for a message M needs to be generated by using the SM9 identification private key of a user, M devices in the k devices form a combination, the M devices in the combination are respectively marked as devices No. 1 to No. M, and each device in the combination respectively calculates and obtains (derives) a secret share (namely c) required by a scheme II applying the SM9 digital signature collaborative generation method according to the current combination by using the threshold secret of each device in the combination and according to the current combination1,…,cm) Then, the M devices generate a digital signature for the message M by applying the aforementioned scheme two of the SM9 digital signature cooperation generation method.
(secret c used by device number i of m device combinationsiI-1.. m, is a secret calculated or derived by the device i according to its threshold secret share for c and the combination of m devices currently generating digital signatures, e.g., for sharir threshold secret sharing for c, if the m-1-time polynomial on modulo n is f (x), then the threshold secret for the device j of the k devices is yj(j), j ═ 1,2, …, k; when the jth device is digitally signed in combination with the other m-1 devices, the secret corresponding to the jth device is (a)jyj) mod n, where ajIs a parameter calculated from m device combinations, c if the j device of the k devices is the i device of the m device combinations for generating digital signaturesi=(ajyj)mod n)。
On the basis that the SM9 digital signature collaborative generation method includes the variant of the scheme one, the scheme two and the scheme two, an SM9 digital signature collaborative generation system can be constructed, which includes m devices that generate digital signatures for messages according to the SM9 digital signature collaborative generation method.
On the basis of the SM9 digital signature threshold generation method, an SM9 digital signature threshold generation system can be constructed, the system comprises k devices, k is larger than m and is larger than or equal to 2, and the k devices generate digital signatures aiming at the messages according to the SM9 digital signature threshold generation method.
From the above description it can be seen that by the method of the invention the user identification private key d is used when requiredAWhen the message is digitally signed, the m devices can cooperatively generate the digital signature aiming at the message, and the method also supports the threshold generation of the digital signature, namely, the m devices in the k devices generate the digital signature aiming at the message through threshold secret sharing (threshold cryptographic operation).
Drawings
None.
Detailed Description
The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.
Examples 1,
This embodiment includes m devices numbered 1 to m respectively, one of the m devices or one device other than the m devices knowing d in advanceAIn the initialization phase, m devices obtain the secret c by1,…,cmAnd calculating to obtain PA、gc:
Knowing d beforehandAIn [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd calculating:
PA=[(c1c2…cm)-1]dA,gc=g^((c1c2…cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo device No. i, i 1, …, m (perhaps including itself);
thereafter, when it is desired to identify the private key d using the user's SM9AWhen the message is digitally signed, the m devices generate the digital signature for the message according to the first scheme of the SM9 digital signature cooperation generation method.
Examples 2,
This embodiment includes m devices numbered 1 to m, respectively, where device number 1 knows d in advanceAThat is, in the initialization phase, m devices obtain the secret c as follows1,…,cmAnd calculating to obtain PA、gc:
Device No. 1 is in [1, n-1 ]]Randomly selecting an integer c in the interval1Calculating Q1=[(c1)-1]dA,u1=g^((c1)-1) Wherein g ═ e (P)1,Ppub) Then Q is added1、u1Sending the data to the next device, namely the No. 2 device;
device i receives Qi-1、ui-1After, i is 2…, m, at [1, n-1 ]]Randomly selecting an integer c in the intervaliCalculating Qi=[(ci)-1]Qi-1,ui=ui-1^((ci)-1);
If i is m, then P is takenA=Qm,gc=umOtherwise, the device No. i will send to the next device, i +1, until Q is completedm、umCalculating;
device No. m will PA、gcTo other m-1 devices, device No. 1 distributes dADestroying;
thereafter, when it is desired to identify the private key d using the user's SM9AWhen the message is digitally signed, the m devices generate the digital signature for the message according to the first scheme of the SM9 digital signature cooperation generation method.
Examples 3,
This embodiment includes m devices numbered 1 to m, respectively, where device number 1 is a user device and device number 1 is the pre-user's SM9 identifying the private key dAThe remaining m-1 devices are cryptographic servers providing cryptographic services, and in the initialization phase, the m devices obtain the secret c as follows1,…,cmAnd calculating to obtain PA、gc:
Device No. 1 is in [1, n-1 ]]Randomly selecting an integer c in the interval1Calculating Q1=[(c1)-1]dA,u1=g^((c1)-1) Wherein g ═ e (P)1,Ppub) Then Q is added1、u1Sending the data to the next device, namely the No. 2 device;
device i receives Qi-1、ui-1Then i is 2, …, m is [1, n-1 ]]Fixedly selecting an integer c unknown to other devices in the intervali(i.e. for different d)AFixed selection ciValue of) calculating Qi=[(ci)-1]Qi-1,ui=ui-1^((ci)-1);
If iIf m, then P is takenA=Qm,gc=umOtherwise, the device No. i will send to the next device, i +1, until Q is completedm、umCalculating;
device No. m will PA、gcDistributed to m devices, device No. 1 distributes dADestroying;
thereafter, when it is desired to identify the private key d using the user's SM9AWhen the message is digitally signed, the m devices generate the digital signature for the message according to the first scheme of the SM9 digital signature cooperation generation method.
Examples 4,
This embodiment includes m devices numbered 1 to m respectively, one of the m devices or one device other than the m devices knowing d in advanceAIn the initialization phase, m devices obtain the secret c by1,…,cmAnd calculating to obtain PA、gc:
Knowing d beforehandAIn [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd so that (c)1+c2+…+cm) mod n ≠ 0, calculates:
PA=[(c1+c2+…+cm)-1]dA,gc=g^((c1+c2+…+cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo device No. i, i 1, …, m (perhaps including itself);
thereafter, when it is desired to identify the private key d using the user's SM9AWhen digitally signing a message, the m devices generate a digital signature for the message according to the scheme two of the SM9 digital signature collaborative generation method.
Examples 5,
This embodiment includes m devices numbered 1 to m respectively, one of the m devices or one device other than the m devices being provided in advanceKnowing dA;
In the initialization phase, d is known in advanceAThe device (which may be one of the m devices or one device other than the m devices) is in [1, n-1 ]]Randomly selecting an integer c and m integers b in the interval1,…,bmAnd such that (b)1+b2+…+bm) mod n is 1, calculate:
PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub);
di=[bi]dA,i=1,…,m;
Then d isA,c,b1,…,bmDestroying PA、gc、diTo device No. i, i 1, …, m (perhaps including itself);
thereafter, when it is desired to identify the private key d using the user's SM9AWhen digitally signing a message, the m devices generate a digital signature for the message according to the variant of the second scheme of the SM9 digital signature cooperation generation method.
Examples 6,
This embodiment includes k devices, one or more of which knows in advance the user's SM9 identification private key dAThe k devices adopt a (m, k) threshold secret sharing mode to carry out the cooperative generation of the digital signature, k>m is more than or equal to 2; knowing d beforehand in the initialization phaseAThe device shares a secret among k devices according to a threshold secret sharing scheme, and calculates PA、gc:
Knowing d beforehandAIn [1, n-1 ]]Randomly selecting an integer c in the interval, and then dividing the c into k secret shares according to a threshold secret sharing mode; calculating PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub) (ii) a Then d isADestroying PA、gcAnd k threshold secret shares are respectively distributed to k devices;
when a digital signature for the message M needs to be generated by using the SM9 identification private key of the user, M devices in the k devices form a combination, and the digital signature for the message is generated by adopting the SM9 digital signature threshold generation method.
The method according to the invention can construct a corresponding SM9 digital signature collaborative generation system.
If the scheme of threshold secret sharing is not adopted, the system comprises m devices, wherein m is greater than or equal to 2, the m devices are all cryptographic servers providing cryptographic services, or one device of the m devices is a user device, and the rest m-1 devices are cryptographic servers providing cryptographic services, when digital signature is required to be carried out on a message by using the SM9 identification private key of the user, the m devices cooperatively generate a digital signature for the message by implementing the SM9 digital signature cooperative generation method of the invention according to the scheme I or the scheme II or the variant of the scheme II, including implementing the foregoing embodiments 1-5, and cooperatively generate the digital signature for the message by using the SM9 identification private key of the user.
If the scheme of (m, k) threshold secret sharing is adopted, and k > m is greater than or equal to 2, the system comprises k devices, wherein the k devices are all cryptographic servers providing cryptographic services, or one device of the k devices is a user device, and the rest k-1 devices are cryptographic servers providing cryptographic services, when digital signature is required to be carried out on a message by using the SM9 identification private key of the user, the m devices in the k devices utilize the threshold secret sharing share, and the SM9 digital signature threshold generation method of the invention is implemented, and comprises the implementation of the foregoing embodiment 6, and the SM9 identification private key of the user is cooperatively generated to be used for carrying out digital signature on the message.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.
Claims (10)
1. An SM9 digital signature collaborative generation method is characterized in that:
the process involves m devices, where m.gtoreq.2;
the m devices are respectively numbered from No. 1 to No. m;
m devices respectively store [1, n-1 ]]Integer secret c within interval1,c2,…,cmWhere n is group G in the SM9 cryptographic algorithm1、G2、GTStep (c) ofiIs a secret held by device number i, i-1, …, m;
pre-calculated in the initialization phase to obtain:
PA=[(c1c2…cm)-1]dA,
gc=g^((c1c2…cm)-1),
wherein d isAIs the identity ID of the userAThe corresponding SM9 identifies the private key, (c)1c2…cm)-1Is (c)1c2…cm) Modulo n multiplication inverse of (g ═ e) (P)1,Ppub),P1Is G1The generator of (1), PpubIs a master public key;
when it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices generate digital signatures as follows:
device No. 1 is in [1, n-1 ]]Randomly selecting an integer r in the interval1Calculate g1=gc^r1Or g1=gc^(c1r1);
Device No. 1 will g1To the next device, device No. 2;
the device No. i receives gi-1Then i is 2, …, m is [1, n-1 ]]Randomly selecting an integer r in the intervaliCalculate gi=(gi-1^ci)(gc^ri) Or gi=(gi-1(gc^ri))^ci;
If i ═ m, go to calculation h, otherwise, device No. i will calculate giTransmitting to the next device, i +1 device, until m device finishes gmCalculating (1);
device m takes w ═ gm;
One of the m devices:
calculating H as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | w represents that w is converted into a string and then merged with the string of M, and n is group G in SM9 cryptographic algorithm1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, and if w is equal to g ^ h, re-performing g1,…,gmUntil w is not equal to g ^ h;
thereafter, device No. 1 calculates S as follows1:
If device number 1 has previously calculated g1The formula adopted is g1=gc^r1And then:
S1=[r1-c1h]PA;
if device number 1 has previously calculated g1The formula adopted is g1=gc^(c1r1) And then:
S1=[c1r1-c1h]PA;
device No. 1 will S1Sending the data to the next device, namely the No. 2 device;
the device No. i receives Si-1Then, i is 2, …, m, S is calculated as followsi:
If the device I calculates g beforeiThe formula adopted is gi=(gi-1^ci)(gc^ri) And then:
Si=[ci]Si-1+[ri]PA;
if the device I calculates g beforeiThe formula adopted is gi=(gi-1(gc^ri))^ciAnd then:
Si=[ci](Si-1+[ri]PA);
if i is m, then S is Sm(h, S) is the generated digital signature for the message M, otherwise, the device No. i sends SiTransmitting to the next device, i +1 device, until m device finishes SmAnd (4) calculating.
2. The SM9 digital signature collaborative generation method of claim 1, wherein:
in the initialization phase, m devices obtain a secret c1,…,cmAnd calculating to obtain PA、gcOne way of (2) is as follows:
knowing d beforehandAIn [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd calculating:
PA=[(c1c2…cm)-1]dA,gc=g^((c1c2…cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo device No. i, i 1, …, m.
3. The SM9 digital signature collaborative generation method of claim 1, wherein:
if d isAIs known in advance by device No. 1, m devices obtain the secret c during the initialization phase1,…,cmAnd calculating to obtain PA、gcOne way of (2) is as follows:
device No. 1 is in [1, n-1 ]]Randomly selecting an integer c in the interval1Or in [1, n-1 ]]Fixedly selecting an integer c unknown to other devices in the interval1Calculating Q1=[(c1)-1]dA,u1=g^((c1)-1) Wherein g ═ e (P)1,Ppub) Then Q is added1、u1Sending the data to the next device, namely the No. 2 device;
device i receives Qi-1、ui-1Then i is 2, …, m is [1, n-1 ]]Randomly selecting an integer c in the intervaliOr in [1, n-1 ]]Fixedly selecting an integer c unknown to other devices in the intervaliCalculating Qi=[(ci)-1]Qi-1,ui=ui-1^((ci)-1);
If i is m, then P is takenA=Qm,gc=umOtherwise, the device No. i will send to the next device, i +1, until Q is completedm、umCalculating;
finally, device number m will PA、gcTo other m-1 devices, device No. 1 distributes dAAnd (4) destroying.
4. An SM9 digital signature cooperative generation system based on the SM9 digital signature cooperative generation method of any one of claims 1 to 3, characterized by:
the system comprises m devices, and the m devices generate digital signatures aiming at the messages according to the SM9 digital signature collaborative generation method.
5. An SM9 digital signature collaborative generation method is characterized in that:
the process involves m devices, where m.gtoreq.2;
the m devices are respectively numbered from No. 1 to No. m;
m devices each have [1, n-1 ] stored or derived from the stored secret]Integer secret c within interval1,c2,…,cmWherein n is group G in SM9 cryptographic algorithm1、G2、GTStep (c) ofiIs a secret held by or derived from device number i, i is 1, …, m, and (c)1+c2+…+cm)mod n≠0;
Pre-calculated in the initialization phase to obtain:
PA=[(c1+c2+…+cm)-1]dA,
gc=g^((c1+c2+…+cm)-1),
wherein d isAIs the identity ID of the userAThe corresponding SM9 identifies the private key, (c)1+c2+…+cm)-1Is (c)1+c2+…+cm) Modulo n multiplication inverse of (g ═ e) (P)1,Ppub),P1Is G1The generator of (1), PpubIs a master public key;
when it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices generate digital signatures as follows:
device number i in [1, n-1 ]]Randomly selecting an integer r in the intervaliCalculate gi=gc^ri,i=1,…,m;
One of the m devices:
calculating w ═ g1g2…gm,h=H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | w represents that w is converted into a string and then merged with the string of M, and n is group G in SM9 cryptographic algorithm1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, and if w is equal to g ^ h, re-performing g1,…,gmUntil w is not equal to g ^ h;
thereafter, the i-th device calculates Si=[(ri-cih)]PA,i=1,…,m;
Then, one of the m devices calculates S ═ S1+S2+…+Sm;
Then (h, S) is the generated digital signature for message M.
6. The SM9 digital signature collaborative generation method of claim 5, wherein:
in the initialization phase, m devices obtain a secret c1,…,cmAnd calculating to obtain PA、gcOne way of (2) is as follows:
knowing d beforehandAIn [1, n-1 ]]Randomly selecting m integers c in interval1,…,cmAnd so that (c)1+c2+…+cm) mod n ≠ 0, calculates:
PA=[(c1+c2+…+cm)-1]dA,gc=g^((c1+c2+…+cm)-1) Wherein g ═ e (P)1,Ppub);
Then d isADestroying PA、gc、ciTo device No. i, i 1, …, m.
7. The SM9 digital signature collaborative generation method of claim 5, wherein:
one variation on the SM9 digital signature collaborative generation method is as follows:
in the initialization phase, d is known in advanceAIn [1, n-1 ]]Randomly selecting an integer c and m integers b in the interval1,b2,…,bmAnd such that (b)1+b2+…+bm) mod n is 1, calculate:
PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub);
di=[bi]dA,i=1,…,m;
Then d isA,c,b1,…,bmDestroying PA、gc、diTo device No. i, i 1, …, m;
when the user's SM9 identification private key d needs to be generatedAFor the digital signature of the message M, M devices, the i-th device calculate S as followsi:
Si=[ri]PA+[-h]di,i=1,…,m;
Other calculations and operations are unchanged, including the way of calculating the collaborative calculation w and calculating h and S is unchanged.
8. An SM9 digital signature threshold generation method based on the SM9 digital signature cooperation generation method of claim 5, characterized by:
the SM9 digital signature threshold generation method comprises k devices, wherein the k devices carry out the collaborative generation of digital signatures in a (m, k) threshold secret sharing mode, and k > m is more than or equal to 2;
in the initialization phase, d is known in advanceAIn [1, n-1 ]]Randomly selecting an integer c in the interval, dividing c into k secret shares according to a threshold secret sharing mode, and calculating PA=[c-1]dA,gc=g^(c-1) Wherein g ═ e (P)1,Ppub) Then d isADestroying PA、gcAnd k threshold secret shares are respectively distributed to k devices;
when a digital signature for a message M needs to be generated by using an SM9 identification private key of a user, M devices in the k devices form a combination, the M devices in the combination are respectively marked as devices No. 1 to M, each device in the combination respectively calculates a secret share required by applying the SM9 digital signature collaborative generation method according to the current combination by using a threshold secret of the device, and then the M devices generate the digital signature for the message M by applying the SM9 digital signature collaborative generation method.
9. An SM9 digital signature cooperative generation system based on the SM9 digital signature cooperative generation method of any one of claims 5 to 7, characterized by:
the system comprises m devices, and the m devices generate digital signatures aiming at the messages according to the SM9 digital signature collaborative generation method.
10. An SM9 digital signature threshold generation system based on the SM9 digital signature threshold generation method of claim 8, characterized by:
the system comprises k devices, wherein k is larger than m and is larger than or equal to 2, and the k devices generate digital signatures aiming at the messages according to the SM9 digital signature threshold generation method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711147604.9A CN107819585B (en) | 2017-11-17 | 2017-11-17 | SM9 digital signature collaborative generation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711147604.9A CN107819585B (en) | 2017-11-17 | 2017-11-17 | SM9 digital signature collaborative generation method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107819585A CN107819585A (en) | 2018-03-20 |
| CN107819585B true CN107819585B (en) | 2020-08-25 |
Family
ID=61609456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711147604.9A Active CN107819585B (en) | 2017-11-17 | 2017-11-17 | SM9 digital signature collaborative generation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107819585B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109951292B (en) * | 2019-02-20 | 2020-08-04 | 武汉理工大学 | Simplified SM9 digital signature separation interaction generation method and system |
| CN109962783B (en) * | 2019-03-20 | 2020-08-25 | 武汉理工大学 | SM9 digital signature collaborative generation method and system based on progressive calculation |
| CN110113165B (en) * | 2019-04-24 | 2020-09-04 | 武汉理工大学 | SM2 digital signature collaborative generation method and system supporting mixed secret sharing |
| CN110048839A (en) * | 2019-04-26 | 2019-07-23 | 山东渔翁信息技术股份有限公司 | A kind of digital signature method, device and storage medium |
| CN110213057B (en) * | 2019-05-23 | 2021-01-08 | 武汉理工大学 | SM9 digital signature collaborative generation method and system with product r parameter |
| CN110247759B (en) * | 2019-06-03 | 2020-07-10 | 武汉理工大学 | SM9 private key generation and use method and system |
| CN110166256B (en) * | 2019-06-17 | 2020-10-02 | 武汉理工大学 | SM9 digital signature multi-party collaborative generation method and system with product r parameter |
| CN110299998B (en) * | 2019-07-04 | 2020-09-04 | 武汉理工大学 | SM9 digital signature collaborative generation method and system by means of intermediate parameters |
| CN110519051B (en) * | 2019-08-22 | 2021-06-01 | 武汉理工大学 | SM9 signature cooperative generation method and system of r parameter and secret double product |
| CN110557260B (en) * | 2019-08-26 | 2020-08-04 | 武汉理工大学 | SM9 digital signature generation method and device |
| CN110943845A (en) * | 2019-11-25 | 2020-03-31 | 武汉大学 | Method and medium for cooperatively generating SM9 signature by two light-weight parties |
| CN111010272B (en) * | 2019-12-20 | 2021-01-12 | 武汉理工大学 | Identification private key generation and digital signature method, system and device |
| CN113300841B (en) * | 2021-05-25 | 2022-11-25 | 贵州大学 | Identity-based collaborative signature method and system |
| CN113742670B (en) * | 2021-08-30 | 2023-06-06 | 建信金融科技有限责任公司 | Multiparty collaborative decryption method and device |
| CN115150062B (en) * | 2022-06-10 | 2024-04-02 | 武汉理工大学 | SM9 digital signature generation method and system with signature production data controlled safely |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1083699A1 (en) * | 1998-05-18 | 2001-03-14 | Mitsubishi Materials Corporation | Information sharing system |
| CN106656512A (en) * | 2017-01-17 | 2017-05-10 | 武汉理工大学 | SM2 digital signature generation method and system supporting threshold password |
| CN106712942A (en) * | 2017-01-10 | 2017-05-24 | 武汉理工大学 | SM2 digital signature generation method and system based on secret sharing |
| CN106850198A (en) * | 2017-01-16 | 2017-06-13 | 武汉理工大学 | SM2 digital signature generation method and system based on the collaboration of many devices |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
| CN107124277A (en) * | 2016-02-25 | 2017-09-01 | 上海传真通信设备技术研究所有限公司 | A kind of hard copy control system based on national commercial cipher algorithm |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9838205B2 (en) * | 2014-09-16 | 2017-12-05 | Keypasco Ab | Network authentication method for secure electronic transactions |
-
2017
- 2017-11-17 CN CN201711147604.9A patent/CN107819585B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1083699A1 (en) * | 1998-05-18 | 2001-03-14 | Mitsubishi Materials Corporation | Information sharing system |
| CN107124277A (en) * | 2016-02-25 | 2017-09-01 | 上海传真通信设备技术研究所有限公司 | A kind of hard copy control system based on national commercial cipher algorithm |
| CN106712942A (en) * | 2017-01-10 | 2017-05-24 | 武汉理工大学 | SM2 digital signature generation method and system based on secret sharing |
| CN106850198A (en) * | 2017-01-16 | 2017-06-13 | 武汉理工大学 | SM2 digital signature generation method and system based on the collaboration of many devices |
| CN106656512A (en) * | 2017-01-17 | 2017-05-10 | 武汉理工大学 | SM2 digital signature generation method and system supporting threshold password |
| CN107017993A (en) * | 2017-04-01 | 2017-08-04 | 北京江南天安科技有限公司 | A kind of multi-party joint key is produced and digital signature method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107819585A (en) | 2018-03-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107819585B (en) | SM9 digital signature collaborative generation method and system | |
| US8429408B2 (en) | Masking the output of random number generators in key generation protocols | |
| US10530585B2 (en) | Digital signing by utilizing multiple distinct signing keys, distributed between two parties | |
| CN107968710B (en) | SM9 digital signature separation interaction generation method and system | |
| CN110213057B (en) | SM9 digital signature collaborative generation method and system with product r parameter | |
| CN108183791B (en) | Intelligent terminal data security processing method and system applied to cloud environment | |
| US20100098253A1 (en) | Broadcast Identity-Based Encryption | |
| CN109951292B (en) | Simplified SM9 digital signature separation interaction generation method and system | |
| CN106850229A (en) | SM2 digital signature generation method and system based on the secret segmentation of product | |
| CN113271209B (en) | Trustable public key encryption system and method based on non-interactive zero-knowledge proof | |
| CN107086912B (en) | Ciphertext conversion method, decryption method and system in heterogeneous storage system | |
| CN109962783B (en) | SM9 digital signature collaborative generation method and system based on progressive calculation | |
| CN110855425A (en) | Lightweight multiparty cooperative SM9 key generation and ciphertext decryption method and medium | |
| CN111030801A (en) | Multi-party distributed SM9 key generation and ciphertext decryption method and medium | |
| CN110166235B (en) | SM9 digital signature collaborative generation method and system for enhancing security | |
| CN110519051B (en) | SM9 signature cooperative generation method and system of r parameter and secret double product | |
| CN110380855B (en) | SM9 digital signature generation method and system supporting multi-party cooperative enhanced security | |
| CN110266486B (en) | SM9 digital signature simple generation method and system based on product secret sharing | |
| CN108055134B (en) | Collaborative computing method and system for elliptic curve point multiplication and pairing operation | |
| CN110299998B (en) | SM9 digital signature collaborative generation method and system by means of intermediate parameters | |
| CN110798313B (en) | Secret dynamic sharing-based collaborative generation method and system for number containing secret | |
| EP2395698B1 (en) | Implicit certificate generation in the case of weak pseudo-random number generators | |
| CN110401524B (en) | Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption | |
| EP2363976A1 (en) | Improved digital signature and key agreement schemes | |
| Wu et al. | ID-based remote authentication with smart cards on open distributed system from elliptic curve cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |